By- Varun Putchala Principal Consultant at Capco, Glenn Kurban Partner at Capco
Financial
institutions are a major target of data breaches and deliberate attacks by
cybercriminals. These data breaches can infringe upon the privacy of all
stakeholders, often from unauthorized access to sensitive personally
identifiable information (PII) data, such as social security numbers. Roughly
147 million customers were potentially affected by the Equifax data breach in
September 2017. Numerous recent violations have occurred in areas of security,
integrity, and confidentiality. This trend prompted regulators to strengthen
existing laws, rules, and regulations to ensure firms prevent breaches or at
least contain the risk substantially when a breach occurs. With this increase
in regulatory mandates and the unpredictable nature of “what comes next,” firms
are struggling to manage their data in a compliant manner.
Regulatory
compliance is an often-underserved area. Since data is increasingly treated as
an asset that drives decision-making, financial institutions can no longer
ignore regulatory compliance. They must now remain fully compliant with all
applicable regulatory obligations. By adopting a data governance program
coupled with a regulatory intelligence function, financial institutions can
govern their data effectively. Most importantly, this approach ensures
adherence to regulatory compliance in an ever-changing regulatory landscape.
Financial institutions can leverage the guidance in this paper to enact
effective programs from scratch or improve existing ones.
General
Viewpoint-
Data is growing
exponentially, and the regulatory landscape continues evolving. As financial
institutions strive to keep up with the pace of change, substantial gaps are
forming resulting in non-compliance. Regulatory compliance is the adherence to
laws, rules, and regulations (LRRs) that are created by government and industry
regulatory authorities. Financial institutions must demonstrate full compliance
with LRRs to ensure they are not met with regulatory fines.
Regulatory
compliance can go unnoticed if it is not strictly enforced internally within
the institution. A primary diagnostic of non-compliance is a data breach. These
breaches expose the inadequate state of a compliance program in a public and
often detrimental fashion. Regulatory examinations of the existing data
management practices have revealed clear violations or at least the lack of a
mature regulatory compliant data program.
The
repercussion of Non-Compliance-
Regulatory
compliance is emerging as a critical area, and institutions are left with no
choice but to remain compliant with regulatory obligations. Regulations are
created to ensure banks operate lawfully while protecting customers,
stakeholders, employees, and the company itself. Institutions that cannot
demonstrate compliance or those subject to violations may face any or all the
following repercussions:
A.
Monetary Penalties / Fines – Regulators are not hesitant to impose penalties on banks that do
not meet regulatory obligations. Data acquired from the Bank Fines Report 2020
by Finbold.com indicates a total of $15.13 billion in aggregated fines in 2020.
The United States accounts for the highest fines, at $11.11 billion or 73.4
percent of the issued fines.
B.
Audits – Breaches are often the trigger points for an audit. It prompts
regulators to investigate the bank’s functions, processes, and financials more
regularly.
C.
Reputational Damage – Non-compliance can negatively influence an institution’s public
reputation. This can result in a loss of confidence among customers, resulting
in a loss of market share and valuation in the case of a publicly traded
company.
D.
Cessation of Business – An increase in the frequency of violations can adversely affect
the institution. They will ultimately be left with no choice but to cease
business operations.
Enabling regulatory
compliant data governance program-
Financial
institutions can easily ensure their data supports regulatory compliance. This
can be accomplished by building an effective data governance program alongside
regulatory guidance.
A. An effective data governance program – Data management defines systems, processes, and standards that determine the way data is created, stored, consumed, and reported in an organization. Data governance is a function of data management; it is the strategy applied to govern its management and facilitate the sequence of a data lifecycle. This function involves documenting data types, ownership, and consumers, and assessing its fit for the desired purpose. It democratizes data and ensures it is trusted at its source and is readily available while establishing high levels of integrity, quality, consistency, accuracy, confidentiality, privacy, and security.
1.
Data Classification and
Catalog – The first essential step in data
governance is classifying the organization’s data into structured and
unstructured formats. It is necessary that this data is organized and managed
in data catalogs. As part of this step, all data attributes need to be
identified and mapped onto locations where they are physically stored.
Simultaneously, banks can also establish their Authoritative Data Sources to
ensure data is trusted at its source.
2.
Fit for use and purpose – Organizations have long been using their enterprise information
assets for inappropriate applications. Hence, their use must be periodically
reviewed to determine the purpose and their utility for fulfilling the needs of
consumers. The data residing in these information assets must be usable and
achieve the intended purpose. This review can be accomplished as part of the
firm’s recertification process when enterprise assets are verified and
certified based othe n criticality/sensitivity of data residing within
applications and EUCs.
3.
Data Lineage - Documenting the journey of data from its source and to the
destination (i.e., where it is consumed) is necessary for organizations to
ensure traceability. This process illustrates the flow of data through applications
and EUCs while undergoing various transformations along the way. All necessary
interfaces that facilitate the flow of data must be documented, as well.
4. Minimum Controls – After the enterprise information assets and data residing within are documented, classified, and rated for risks; minimum controls need to be determined. A controls framework may be established for this purpose to document and organize the institution’s internal controls. These guidelines associate controls to the risks for a financial institution. As controls are applied, it is necessary that periodic gap assessments relative to the existing control environment are performed to ensure high levels of data integrity and quality.
B. Minimum Controls – After the enterprise information assets and data residing within are documented, classified, and rated for risks; minimum controls need to be determined. A controls framework may be established for this purpose to document and organize the institution’s internal controls. These guidelines associate controls to the risks for a financial institution. As controls are applied, it is necessary that periodic gap assessments relative to the existing control environment are performed to ensure high levels of data integrity and quality.
Capco’s center for Regulatory Intelligence- Risk management and compliance functions are overwhelmed by the velocity and volume of regulatory information, often missing key trends and context leading to missed compliance obligations that can be mapped. Capco’s Regulatory Intelligence Library and Regulatory Data Feed helps clients minimize risk by illuminating regulator expectations, identifying obligations, and defining the risks and controls. Capco supports institutions as they work to minimize risk, by proactively identifying legal and regulatory requirements and supervisory expectations and analyzing the impact of geopolitical events on their business. Our Center for Regulatory Intelligence (“CRI”) is a single source of comprehensive research and analysis from primary source documents, government surveillance, industry networks, and qualitative and quantitative data.
Conclusion- The business units for financial institutions own the data assets
of the firm, and therefore play a critical role in defining the data governance
strategy. We believe that prior to undertaking any data compliance discussions,
financial institutions must ensure there is participation from all business,
compliance, and IT units. Technologists are responsible for ensuring controls
are effectively in place and tested on data assets. Compliance must ensure the
controls are adequate and meet existing regulatory requirements. Institutions
must realize that regulators are here to ensure a healthy and law-abiding financial
ecosystem, and the landscape is ever-changing. To stay truly compliant, a
financial institution must have a clearly defined data strategy, supplemented
with a regulatory intelligence function. Adopting this approach, it can be both
agile and adaptive in responding to continuously evolving regulatory needs and
conditions. Stay tuned for more insights, guidelines, and best practices
specific to a range of services within financial services, from Retail Banking
and Capital Markets to Wealth and Investment Management.
No comments:
Post a Comment